Software security courtesy of child labor

We couldn’t help but poke a little fun in the headline. This is [Alex Miller], a twelve year old who claimed a $3000 bounty from Mozilla. See, [Alex] is a self-taught security guru. When Mozilla upped the reward for discovering and reporting critical security flaws in their software he went to work searching for one. He estimates that he spent an hour and a half a day for ten days to find the hole. Fifteen hours of work for $3000? That’s pretty good!

Is it good or bad to pay for these kind of submissions? The real question: Is the bounty high enough to get blackhats to report vulnerabilities, rather than selling software that exploits them? Let us know what you think in the comments.

34 thoughts on “Software security courtesy of child labor”

1st. I’m jealous. I wish I was that technically adept now, let alone at 12.
2nd. Yeah, I think it’s great to encourage people to share this kind of stuff. I know I personally would put more work into it if I knew there was more than e-fame in reporting in big flaws.

I think, at the minimum it may provide incentive to those that have the skills to improve software but normally wouldn’t be bothered. If I had any clue what I was doing, the monetary incentive would increase my chances of spending time to fix this stuff.

Three grand doesn’t strike me as being near enough to make reporting a fresh 0-day vuln worth a black hat’s while; if being a black hat didn’t pay a living wage (i.e., a lot more than any measly three grand), it wouldn’t be such a big industry in the first place.

@BobSmith,
Often, people go by usernames/nicknames on the web. This can cause a lot of confusion, especially when their name is a technical term, or just plain gibberish. Putting their name in brackets identifies it as their name. We’ve always done it and plan to continue. We are, however, aware that we may not have the best grammar. We’re trying to improve this.

If he found just one exploit a month, and got $3k for each one, it would be an okay wage. Not as much as he’d make as a programmer, but possibly much less demanding – he wouldn’t have to report to work at a given time, etc.

Either way, I certainly think these things are fair to pay for. Some people might want more money and they might sell to the black market, but for all the good people out there who aren’t in it for the money, $3k is enough to justify giving it up to the good guys. Sure, they could be a bad person and make more money, but there are plenty of people out there who don’t work that way, unless its lots of money.
-Taylor

You call this child labor, better if you don’t know what even younger childrens have to do just to make this amount of money in a year in India.

Exploit development and bug hunting doesn’t paying of that well. Those who were selling exploits are probably know this already. You can get more money with normal coding job. Also this kind of work require special thinking, not everyone has the ability to be good at it. Let the few -who are- make money this way.

Microeconomics would suggest that as supply (of working exploits) decreases, the price people (bad guys) are willing to pay should increase. Although, if some exploits are harder to find than others, then we would expect rewards like these to result in discovery of the low-hanging fruit, so to speak.

So, if you’re a bad guy and you want to buy an exploit, the remaining ones are going to be more expensive because 1) there will be fewer blackhats to buy them from and 2) they will require more time and/or skill to identify. As a result, the system itself might guarantee that not all the possible exploits are identified because the cost to identify them increases as more exploits are identified.

If rewards like this didn’t exist, then blackhats would have a greater supply of exploits because presumably it would take longer for software firms to close holes they are not aware of. Greater supply exists because blackhats could keep selling the same exploits over and over again.

I think that more important than the $3000 bounty is the recognition he received for potential university recruiters or job headhunters. This is definitely portfolio worthy if he decides to get into the security or IT field.

i never knew anybody paid at all for bug reports. i thought they were free, just pointing out “hey fix this” that is awesome, a lucky kid, and do you think he put the money in savings for his future or built a six-core desktop?
no more anonymous bug reporting from me!

There are even companies that pay you for finding bugs and make money by selling the knowledge to the company that makes the software. The problem is, on the black market one can achieve a price that is ten times higher.

Okay, so the basics. How to make money finding vulns:
1) Be a blackhat. Find a vuln, exploit it to steal peoples’ WoW gold, sell it back to them for real money, etc. (Or sell it to someone who will steal the WoW gold.)
2) Sell to 3rd parties. There exist agencies in every major government, and also commercial companies, that buy vulnerabilities. They pay good money for vulns. This is probably the sweet spot, since you make decent dough, and you don’t have to go to jail (unless you sell them to the wrong government).
3) Sell to 1st parties, what this kid did. This doesn’t make you much money. With most vendors, you’re lucky if they even thank you. However, you get exposure, and it’s sometimes (e.g. with Mozilla) less hassle than selling to a 3rd party. If you want an “in” in the security industry, this is a good way to make a name for yourself.

The people that the 1st-party bounties attract are the people who want exposure. Mozilla probably will not compete with idefense, and certainly not with some shadowy TLA. However, white hats are more likely to look for vulns is a product whose vendor appreciates their work (Mozilla) than one who may try to sue them (Apple). It is extremely unlikely that $3k will sway a blackhat, but it is likely to sway whitehats.

pretty sure you’d find more vulnerabilities in chrome, plus Google is über wealthy. sometimes i feel that i could do more when i was 12 than i can do now. i can hardly remember HTML but back then, i was proficient.

Kinda jealous. Finding a javascript bug isn’t that big but still for a 12 year old pretty cool. Maybe he just “fell” over it and that’ll be his one and only bugreport (though he seem’s to know his stuff, when i look at the report) but let’s see what the future of this kid brings.

First way to go Alex. Hope Alex Keeps a level head, and is aware that the next payday may not come so easily, in so little time. s Alex should be advised to diversify, as not to put all his eggs in one basket.

Such awards are a wise investment if than convince current users or potential users open source software is secure. A need to make too many such awards, would have the reverse result, and may curb the donations coming in the front door that make these awards possible..

There is not a thing wrong with the post title. Concern about child protective services, in the manner it was brought up, has to be some more pre-election fear mongering, we just can’t get away from.